On Tue, 17 Mar 2020 11:25:35 +0100 Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote:
> On Mon, Mar 16 2020, Ian McWilliam <i.mcwill...@westernsydney.edu.au> > wrote: > > You'll actually need to add CGI::Fast as a package as it is missing. > > > > pkg_add p5-CGI-Fast > > FastCGI is indeed optional in this release of sympa, later releases > make it mandatory[0]. The README already describes a FastCGI setup, > and I suspect most users use FastCGI for sp33d these days, so the port > could help the user a bit more. What about adding p5-CGI-Fast to > RUN_DEPENDS? > > I'll note that our sympa port is out of date, 6.2.16 vs 6.2.54, and > that it's probably affected by CVE-2018-1000550[1]. > > [0] > https://sympa-community.github.io/manual/upgrade/notes.html#from-versions-prior-to-6224 > [1] https://sympa-community.github.io/security/index.html > Thank you for letting me know about the CVE. I'll explore options for limiting access to the site as a mitigation, since users have the option to send commands via email anyway and only a couple admins really need access to the webportal. I am actually stuck on a newer problem where I'm at a loss of how to troubleshoot it. The Sympa web portal seems responsive on the main page, but when I try to set my login for admin through "First Login" the page appears to just refresh to the main page without taking me to the requested page. I checked nginx logs: 2020/03/18 18:49:33 [error] 24697#0: *1 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 11.11.11.11, server: domain.com, request: "GET / HTTP/2.0", upstream: "fastcgi://127.0.0.1:1026", host: "domain.com" 2020/03/18 18:49:33 [error] 24697#0: *1 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 11.11.11.11, server: domain.com, request: "GET / HTTP/2.0", upstream: "fastcgi://[::1]:1026", host: "domain.com" 2020/03/18 18:49:47 [error] 24697#0: *1 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 11.11.11.11, server: domain.com, request: "GET /HTTP/2.0", upstream: "fastcgi://[::1]:1026", host: "domain.com" I checked /var/log/messages for wwsympa and got the following: /var/log/messages:Mar 17 03:46:55 o wwsympa[82960]: err main::#1279 > main::get_parameters#2370 [robot domain.com] [client 11.11.11.11] Syntax error for parameter POSTDATA value "\^BB" not conform to regexp:[\\w\\-\\.]+; dumped vars in /var/spool/sympa/tmp/sympa_dump.1584442015.82960 /var/log/messages:Mar 17 03:46:55 o wwsympa[82960]: err main::#1279 > main::get_parameters#2370 [robot domain.com] [client 11.11.11.11] Syntax error for parameter POSTDATA value "\^\\^P\^Q" not conform to regexp:[\\w\\-\\.]+; dumped vars in /var/spool/sympa/tmp/sympa_dump.1584442015.82960 /var/log/messages:Mar 18 00:24:04 o wwsympa[82960]: err main::#1279 > main::get_parameters#2370 [robot domain.com] [client 22.22.22.22] Syntax error for parameter s value "/Index/\\think\\app/invokefunction" not conform to regexp:[\\w\\-\\.]+; dumped vars in /var/spool/sympa/tmp/sympa_dump.1584516244.80 Your help is very much appareciated. Thank you.